alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Future Sensors]

From a risk management perspective as far as ensuring the future security of insecurity this may be a poor strategy.

Epik has actively adopted this strategy at crucial moments in recent years, even as criticism mounted over previous choices and the uproar it engendered. You could therefore suspect that the business model (or revenue model) of the company will not change even now.

 

[Derek Peterson]

I find Monster getting $32,000,000 for a minority share of Epik, common stock with no board seat, just about 60 days before the biggest hack of conservatives, ever, right when the Jan 6th investigations are taking place, to be very suspicious.

Could some of you domain and registrar experts help me calculate Epik revenues so I can figure out just how ridiculous this valuation is. For example:
1) Number of domains hosted at epik and approximate profit per domain.
2) Number of web hosting accounts and approximate revenues/profit.
3) Break down of any other Epik products and services.

 

[Derek Peterson]

His responses are just mind boggling. It's like there is no self awareness. Why is it so hard to answer the questions raised? We can only presume. It's seems like it is a game for him. Like it is a joke. There is no seriousness whatsoever.

Only if you are thinking in terms of a normal, honest business man that cares about people and was trying to be a "force for good". If you were a liar and a grifter that actually wanted to hurt Christians and conservatives then it would all make perfect sense.

 

[carob]

Could some of you domain and registrar experts help me calculate Epik revenues so I can figure out just how ridiculous this valuation is. For example:
1) Number of domains hosted at epik and approximate profit per domain.
2) Number of web hosting accounts and approximate revenues/profit.
3) Break down of any other Epik products and services.

Have a look at earlier posts in this thread giving Epik domain counts by @jmcc

Possibly hosting numbers and Epik financials can be sourced from the hacked data.

In the absence of any evidence, the $32m investment may not exist. Or it may not be happening due to changed circumstances.

 

[Future Sensors]

Yep, you can file this under fallout from the Epik data breach, and the connections people have already made. This data breach likely played a major role.

I am sure this information is going to continue to be very interesting to the FBI, DOJ and other investigative agencies.

The data obtained from this leak will also help better understand some command-and-control constructs associated with Epik.

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b

 

[DN Playbook]

"According to the group of Anonymous-affiliated attackers, which issued a press release obtained by independent journalist Steven Monacelli, the hack was in retaliation for Epik’s habit of hosting questionable alt-right websites."

“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet,” the group said. “Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole.”

"Meanwhile, there’s evidence that non-customers were also caught up in the breach. HaveIBeenPwned’s Troy Hunt said that his information was part of the data dump, despite never transacting with Epik in any way. He looked further into the situation and determined that Epik was engaged in data-scraping."

Epik Confirms Hack, Gigabytes of Data on Offer | Threatpost

This is going to be permanent stain on the Epik legacy.

 

[DN Playbook]

“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organizations who were not Epik customers,”

 

[Future Sensors]

The Rosetta Stone content of Epik's customers suggests that the recently released leaks were not from the first party to access the data. The leaked data itself indicates that the system has already been rooted before (which has been discussed earlier in this thread). Connections to Russia seemed far-fetched to some at first. Personally, I do not rule out the possibility that state actors were active on the systems. Epik has instructed (US) authorities to investigate this hack and they will likely begin to combine this data with some other sources leaked this year, like but not exclusively ICIJ's, also discussed in this thread.

 

[DN Playbook]

Personally, I do not rule out the possibility that state actors were active on the systems.

Yep, I would not rule that out either. If you were running a misinformation campaign then Epik would be a soft target, low risk, high return. It is a reasonable assumption that multiple actors hacked into their system.

 

[Future Sensors]

An analogy with working from home. Since the covid crisis, more people have started working from home. This has led to a large number of new attack vectors to gain access to company data via the home workers. Like the homeworkers, Epik has proven to be a simple way to obtain all kinds of sensitive data about a group of very influential Americans via that detour. It was the weak(est) link.

 

[Future Sensors]

Epik would be a soft target

Add to that the many photos posted by Epik's CEO on this forum and Twitter to show the details about their infrastructure.

 

[Future Sensors]

Epik has now announced that a bug bounty program is in place, that it will use the services of BugCrowd and that it will work towards a SOC2 certification (unclear what level). One must realize that although certifications and predicates will look good on the homepage, security must be present in the entire DNA of the organization, already from the design stage. It also means that you have access to your own codebase. I am curious whether a transition to a secure fortress will be successful, and wish the company every success.

https://en.wikipedia.org/wiki/Secure_by_design

 

[SirDrago]

Epik has now announced that a bug bounty program is in place, that it will use the services of BugCrowd

I didn't see a single penny two years ago when I told Rob about the security flaw. Doubt he'll pay now.

 

[DN Playbook]

security must be present in the entire DNA of the organization, already from the design stage. It also means that you have access to your own codebase.

If, according to RM, the case is that they did not have access to the code and the code was "shitty" (opinion arrived by due to the hack and not from eyes on), then a rewrite would be required. This is a massive undertaking. The only feasible process moving forward is to have the old code run while new code is being developed. Does Epik have that capability to essentially write the code from the ground up?

I didn't see a single penny two years ago when I told Rob about the security flaw. Doubt he'll pay now.

I would not accept any bounty from Epik. It is like selling your soul to the devil for peanuts. I accepted $100 once and have regretted it big time. They used it to try to coerce more out of me than originally promised.

 

[DN Playbook]

If you accept bounty from Epik it creates the impression in their eyes that you are desperate for money. They will use it against you. Trust me.

 

[Future Sensors]

If you accept bounty from Epik it creates the impression in their eyes that you are desperate for money. They will use it against you. Trust me.

I tend to believe that.

I wondered what RM meant with this:

Monster: "He has no money. He has no money."​

https://blog.mollywhite.net/monster-qa/

 

[Derek Peterson]

I tend to believe that.

I wondered what RM meant with this:

"Monster: He has no money. He has no money."​

https://blog.mollywhite.net/monster-qa/

Yes, as I mentioned earlier in thread Monster has an MO of trying to figure out if people are desperate and then try to leverage that. He's a bottom fisher, always searching for ways to take advantage of people. It is just the way he thinks. He does it when searching for businesses to take over and with people on individual basis. Probably projecting his issues onto others.

 

[DN Playbook]

There is so much here that is not being revealed. The posters in this thread are using a lot of restraint, IMO. I have private message threads that if I wanted to hurt RM or Epik I could reveal. But this is not about revenge or wishing harm. It is about accountability and honesty.

 

[Derek Peterson]

There is so much here that is not being revealed. The posters in this thread are using a lot of restraint, IMO. I have private message threads that if I wanted to hurt RM or Epik I could reveal. But this is not about revenge or wishing harm. It is about accountability and honesty.

Yeah, even I haven't posted Monster's emails or skype DMs to me and other things I have. Not my style but as he continues to call me a liar for things that are true I will reveal more in defense of his ongoing defamation and lack of responsibility for all the harm he has caused. I imagine he probably thinks it will all blow over soon and go back to normal and the can play victim and call everyone who called him our liars and SJW haters and try to hurt them behind the scenes but it is not going to go like that.

 

[Molly White]

Epik has now announced that a bug bounty program is in place, that it will use the services of BugCrowd and that it will work towards a SOC2 certification (unclear what level). One must ensure that although certifications and predicates will look good on the homepage, security must be present in the entire DNA of the organization, already from the design stage. It also means that you have access to your own codebase. I am curious whether a transition to a secure fortress will be successful, and wish the company every success.

https://en.wikipedia.org/wiki/Secure_by_design

Where was the announcement that they'd be working with BugCrowd?

 

[Future Sensors]

Where was the announcement that they'd be working with BugCrowd?

It was revealed in this thread.

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-107#post-8419504

 

[bmugford]

As others will have pointed out, our bug bounty program was informal through email and our ticketing system. We absolutely did and do pay out many bug bounties over the years to ethical hackers.

As of earlier this year, we have been incubating a proprietary bug reporting system. It is not ready yet but we think it is mission critical enough to self-host it.

In the end, we went with a commercial solution since we would rather have hackers choose an ethical path, and we realize that their skills and time have value.

HackerOne is one we did consider for our formal bug bounty platform, but since they never replied to our inquiries, why we went with BugCrowd.

As for the mystery of the $444 deposited to your GoFundMe page, as I guess that mystery is unsolved for you despite the bread crumbs, here is a clue for what that was about.

Where was the announcement that they'd be working with BugCrowd?

See above.

 

[Future Sensors]

Believe me, if HackerOne doesn't answer your inquiries, something really special might be going on.

 

[internext]

Monster has an MO of trying to figure out if people are desperate and then try to leverage that. He's a bottom fisher, always searching for ways to take advantage of people.

Sorry your experience is the opposite of mine. When I told Rob of some problems I was having he lent me thousands of dollars and gave me a year to pay him back with zero interest. Because of him I was able to get out of a huge bind. Sorry this has nothing to do with the hack but neither did your comment.

Since I have paid him back he never attempted to leverage anything against me. In fact he even reached out to some high-dollar end users to help me close some deals. He never asked for anything in addition to his normal marketplace commission.

When I hear all of these stories trying to make him sound like a literal monster, I feel really bad because the guy has been nothing but great to me. Other than my personal experience I have no other knowledge or history with him

 

[Future Sensors]

Sorry your experience is the opposite of mine. When I told Rob of some problems I was having he lent me thousands of dollars and gave me a year to pay him back with zero interest. Because of him I was able to get out of a huge bind. Sorry this has nothing to do with the hack but neither did your comment

So the money is present, but not for security bounties.